Stuff that doesn't need it's own Thread

Rucking_Fetard · 10-08-2014 11:13pm #1

Sticky data: Why even 'anonymized' information can still identify you

App Reputation Report for summer 2014 provides an overview of the security risks behind the most popular mobile apps.

Khannie · 11-08-2014 4:19pm

God damnit, I hate ridiculous app requirements.....

edit: And that's not even all of them!!! They wouldn't all fit on the screen.

h57xiucj2z946q · 11-08-2014 4:57pm

That looks to be a slightly old version of play store where they just give the permissions per very abstract category. They have included more details in recent version, but its still related to all permissions for a given category, rather than fine tuned for what the app in question specifically requests:

https://play.google.com/store/apps/details?id=com.whatsapp (Click "View permissions")

But you might want to look into one of these solutions: http://www.xda-developers.com/android/protecting-your-privacy-app-ops-privacy-guard-and-xprivacy/

syklops · 11-08-2014 11:16pm

I was about to quote Khannie's post then remembered he gets grumpy when people do that. At this years DefCon, John Mcafee spoke about many things including the eventful year he had last year but he also spoke about an app he created called DCentral1 which audits the permissions requirements of the apps installed and gives each one a rating. My friend found it interesting that his banking app requires access to his camera.

I recommend installing it and checking what you have. You can tweak the thresholds your self, so its ok if your camera app needs access to your camera, or your gallery app needs access to your SD card, but you can quickly see if your wall paper app is reading your calls.

You can get it from the play store.

Khannie · 12-08-2014 10:28am

syklops wrote: »

I was about to quote Khannie's post then remembered he gets grumpy when people do that.

AAAAhahahahaha. :P Only when you quote the pic.

syklops wrote: »

My friend found it interesting that his banking app requires access to his camera.

That's disgraceful tbh.

syklops wrote: »

You can get it from the play store.

Thanks, I'll check it out.

Rucking_Fetard · 15-08-2014 1:18am

Now even Germany’s postal service has an encrypted messaging app

the matasano crypto challenges

Rucking_Fetard · 16-08-2014 1:49am

What's the matter with PGP?

Rucking_Fetard · 16-08-2014 4:07am

http://dontevenreply.com/

Few good lols in that.

Rucking_Fetard · 20-08-2014 5:28pm

Certified WhiteHat Hacker Level 2 - Break The Security - (Free Limited Time)

Rucking_Fetard · 21-08-2014 3:07am

Sites/services with lax security or not using https. (archive)

How to Break Cryptography With Your Bare Hands

syklops · 22-08-2014 12:49am

That's disgraceful tbh.

My friend wrote to the bank.

The bank wrote back! :eek:

Needless to say its not an irish bank.

Anyway they said the reason their app requires access to the camera is in case the phone gets stolen, if someone tries to use the app when they have been informed that the phone has been stolen, its so they can take a picture of the person using the app and send it to their servers for further investigation.

My initial thought was Bo%$ox!

That said, the bank responded to his query and is one of the few banks I know to provide dual-factor auth for online banking - by default. So, I'll give them credit to be honest.

syklops · 22-08-2014 1:00am

How do we feel about blog links? And by we, I mean the gods mods of the security forum. Work asked me to write about my trip to DefCon 22 for their corporate blog. I intend on copying the text to my personal blog and if there is interest, pasting it here. Im not looking for bigger readership or anything I just thought some people would be genuinely interested in this forum.

If there is interest, but we are not happy about posting links, I can paste the text as a comment instead.

Interested in hearing thoughts.

P.S. A thread for stuff that doesnt need its own thread was a great idea!

Blowfish · 22-08-2014 9:57am

syklops wrote: »

How do we feel about blog links? And by we, I mean the gods mods of the security forum. Work asked me to write about my trip to DefCon 22 for their corporate blog. I intend on copying the text to my personal blog and if there is interest, pasting it here. Im not looking for bigger readership or anything I just thought some people would be genuinely interested in this forum.

If there is interest, but we are not happy about posting links, I can paste the text as a comment instead.

Interested in hearing thoughts.

P.S. A thread for stuff that doesnt need its own thread was a great idea!

I'd be interested...though I think I've already read it.

Khannie · 22-08-2014 12:46pm

Ah yeah...fire away. It's not spam if you're a regular contributor IMO.

Recondite49 · 22-08-2014 4:53pm

Rucking_Fetard wrote: »

What's the matter with PGP?

I just had a read of this, a summary of this user's complaints about gpg would seem to be as follows:

- Key distribution is problematic as keys are large and also there's no centralised key server such as is the case with Apple's iMessage. (I kid you not, he mentioned iMessage as an example...)

- No forward secrecy for messages.

- The OpenPGP default encryption formats in some cases are quite old e.g CAST5.

- Many of the implementations inside the Mail Client aren't easy to use and require you to enter the password for your private key which will then exist in the Computer Memory.

I don't think he's being very fair, at least on the first point. It seems to me if you want to trust Google/Yahoo both to manage your keys and encrypt your data for you, you might as well not bother encrypting the data in the first place.

As for older encryption ciphers and awkward mail interfaces you can get around this problem by simply using a separate program to encrypt/decrypt messages and just paste the text between windows e.g GPG4USB.

Would be interested to hear all of your thoughts on this that said.

Recondite49 · 22-08-2014 4:54pm

syklops wrote: »

How do we feel about blog links? And by we, I mean the gods mods of the security forum. Work asked me to write about my trip to DefCon 22 for their corporate blog. I intend on copying the text to my personal blog and if there is interest, pasting it here. Im not looking for bigger readership or anything I just thought some people would be genuinely interested in this forum.

If there is interest, but we are not happy about posting links, I can paste the text as a comment instead.

Interested in hearing thoughts.

P.S. A thread for stuff that doesnt need its own thread was a great idea!

Hi syklops, I'd be very interested to read about your experience. For the record I have shamelessly linked to my own Security blog in the past but if it's to provide info that isn't available elsewhere, which of course would be the case if you want to recount your own experiences, I think it can be justified.

Rucking_Fetard · 22-08-2014 5:50pm

Gmail smartphone app hacked by researchers

US researchers say they have been able to hack into Gmail accounts with a 92% success rate by exploiting a weakness in smartphone memory.
The researchers were able to gain access to a number of apps, including Gmail, by disguising malicious software as another downloaded app.

Other apps hacked included H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon.

The Amazon app was the hardest to access, with a 48% success rate.
The hack involves accessing the shared memory of a user's smartphone using malicious software disguised as an apparently harmless app, such as wallpaper.

This shared memory is used by all apps, and by analysing its use the researchers were able to tell when a user was logging into apps such as Gmail, giving them the opportunity to steal login details and passwords.

"The assumption

Assumption!!!:eek:

:pac::pac::pac:

I always think of that when I see assumed...lol

"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an assistant professor at the University of California and one of the researchers involved in the study.
"We show that assumption is not correct, and one app can in fact significantly impact another and result in harmful consequences for the user."

Android. It's full of holes.

Rucking_Fetard · 22-08-2014 6:07pm

SSL Vulnerabilities: Who listens when Android applications talk?

Nuke Regulator Hacked by Suspected Foreign Powers

Can they not send them on a 3 day course and teach not to click on everything with a line under it or something.

Future Hack: New Cybersecurity Tool Predicts Breaches Before They Happen

A new research paper (PDF) outlines security software that scans and scrapes web sites (past and present) to identify patterms leading up to a security breach. It then accurately predicts what websites will be hacked in the future. The tool has an accuracy of up to 66%. Quoting: "The algorithm is designed to automatically detect whether a Web server is likely to become malicious in the future by analyzing a wide array of the site's characteristics: For example, what software does the server run? What keywords are present? How are the Web pages structured? If your website has a whole lot in common with another website that ended up hacked, the classifier will predict a gloomy future. The classifier itself always updates and evolves, the researchers wrote. It can 'quickly adapt to emerging threats.'"

The comments are far from kind and I haven't skimmed the report but the idea here is good. The bit in bold itself would be very useful. I was reading about a breach in some US firm the other day, the breach was a few years back but the head guy was so pissed as similar setups to theirs were being breached for months and he never knew. If he had he could have adapted.

syklops · 22-08-2014 7:55pm

Khannie wrote: »

Ah yeah...fire away. It's not spam if you're a regular contributor IMO.

Def Con 22 - A report from the frontline

Just spotted a typo which will get changed soon, it says Turn out this year was 11,000, that should read Turn out last year was 11,000. This year was over 15,000.

Recondite49 · 23-08-2014 1:10pm

syklops wrote: »

Def Con 22 - A report from the frontline

Just spotted a typo which will get changed soon, it says Turn out this year was 11,000, that should read Turn out last year was 11,000. This year was over 15,000.

Sklops,

I just wanted to thank you for this, this was a fascinating read, I'm only sorry you had to queue up so long!

I am awed you got to meet jduck in person, also am taking on board what you said about contactless payment. As a matter of fact I switched banks recently because my own was insisting on giving me a card to use for contactless - frankly I don't see how it saves time - the 3 seconds it takes me to enter my PIN isn't the problem, usually the teller inserting my card the wrong way round!

Will you go back next year? My Uncle lives in Nevada so I'm seriously considering paying a visit.

Recondite49 · 23-08-2014 1:12pm

Also what is it with "biometric" USB and hard drives?

Aside from the fact they can be overcome easily with the use of gummi bears, in the event you were found to be in possession of one couldn't your local government grunt or Mafia henchman just press your thumb to the drive against your will?

Colossal waste of time surely?

syklops · 24-08-2014 12:39am

Recondite49 wrote: »

Sklops,

I just wanted to thank you for this, this was a fascinating read, I'm only sorry you had to queue up so long!

I am awed you got to meet jduck in person, also am taking on board what you said about contactless payment. As a matter of fact I switched banks recently because my own was insisting on giving me a card to use for contactless - frankly I don't see how it saves time - the 3 seconds it takes me to enter my PIN isn't the problem, usually the teller inserting my card the wrong way round!

Will you go back next year? My Uncle lives in Nevada so I'm seriously considering paying a visit.

I am hooked on Def Con now and will definitely be going back next year. I don't know why I didn't go before now.

Flights plus accommodation came to about 2K, plus $220 for the DefCon ticket. I spent an additional 300 on equipment, and another 200 on booze (:eek:). Tbh, that is easily doable with a bit of scrimping and saving.

I'm also thinking we need an Irish DefCon. I know there is Iriss, but its more like Blackhat rather than DefCon. I already have ideas for names, but I'll write about that later.

Currently working on a blog on hacking android phones using the OTG cable I bought. I'll paste it here when done.

Rucking_Fetard · 24-08-2014 12:49am

syklops wrote: »

and another 200 on booze (:eek:).

:eek::eek:

syklops wrote: »

Currently working on a blog on hacking android phones using the OTG cable I bought. I'll paste it here when done.

USB Condom protects your devices from nasty ports

Rucking_Fetard · 24-08-2014 2:16am

Rucking_Fetard wrote: »

I was reading about a breach in some US firm the other day, the breach was a few years back but the head guy was so pissed as similar setups to theirs were being breached for months and he never knew. If he had he could have adapted.

Here it is.

More than a Thousand US firms are after getting hit by the same "Backoff" Malware lately. Clever little one.

According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities — a vendor with remote access to a company’s systems, for example, or employees with the ability to work remotely — and then deploying computers to guess user names and passwords at high speeds until they find a working combination.
The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals collect payment card data off the cash register systems and send it back to their servers abroad.

Last year, in the largest known breach against a retailer’s payment system, hackers invaded Target for weeks without being detected. The hackers’ malware stole customers’ data directly off the magnetic stripes of credit and debit cards used by tens of millions of shoppers.

Recondite49 · 24-08-2014 12:28pm

syklops wrote: »

I am hooked on Def Con now and will definitely be going back next year. I don't know why I didn't go before now.

Flights plus accommodation came to about 2K, plus $220 for the DefCon ticket. I spent an additional 300 on equipment, and another 200 on booze (:eek:). Tbh, that is easily doable with a bit of scrimping and saving.

I'm also thinking we need an Irish DefCon. I know there is Iriss, but its more like Blackhat rather than DefCon. I already have ideas for names, but I'll write about that later.

Currently working on a blog on hacking android phones using the OTG cable I bought. I'll paste it here when done.

I agree it's money well spent chief and even if you can set aside a token amount like 150 Euro a month it should be doable.

Please do post your thoughts on Android phones on here. I'm seriously considering using an Android phone in conjunction with a VPS as a kind of software "dead man's switch" but am a little worried about all the supposed security holes.

Have you had any experience with Cynaogen Mod or replicant? I've rooted a Samsung Galaxy Ace with the "Cooper" build of Cynaogen Mod and am very impressed - it certainly runs much faster than my old OS, don't know if it's more secure though.

syklops · 24-08-2014 12:34pm

Rucking_Fetard wrote: »

:eek::eek:

USB Condom protects your devices from nasty ports

Beer in the hotel/casino was 8 dollars a bottle. In the hot nevada heat its very easy to have 5-6 beers in the course of the day and not really feel buzzed. 6 x 8 is $48. Have a cocktail in the evening(1) and its $13 so daily spend on booze was about 61. Three and a half days. Yep

The last day we went to an off license in the morning(I love the liberty of an off license open at 8 am!) and bought a six pack and put it in our bags. That is frowned upon by some Goons, but the day before we met a guy with a cooler on wheels filled with ice and beer and he said so long as he didnt wheel it around the lobby no one had a problem, so we thought why not. For 12 dollars I got 6 bottles of stella. Next year I'll do the same.

ChRoMe · 25-08-2014 12:43pm

Khannie wrote: »

That's disgraceful tbh.

That is most likely to allow you to take a photo of a cheque to deposit it electronically, if that is the case its a perfectly reasonable requirement.

Rucking_Fetard · 26-08-2014 9:34am

ChRoMe wrote: »

That is most likely to allow you to take a photo of a cheque to deposit it electronically, if that is the case its a perfectly reasonable requirement.

Post 11

Recondite49 · 27-08-2014 11:54am

Just been working on generating secure passwords.

Will all the usual warnings about black bag and rubber hose "cryptography", I've found an excellent password checker on the Kaspersky Blog.

What I like about it, is that it tells you how quickly various devices would crack your password e.g a 2012 Macbook Pro or the Conficker botnet.

I put in the last password I used for one of my external USB drives (which has since been changed) and was surprised to see that Conficker would have polished it off in just 20 days - sobering reading!

AnCatDubh · 27-08-2014 1:27pm

Recondite49 wrote: »

I've found an excellent password checker on the Kaspersky Blog.

Nice one.

Just throwing random stuff into it it comes up with a funny;

A given password holycowsbatman!-- will take 3 months to crack whereas if I add a third hyphen for it to become holycowsbatman!--- it takes 3 days.

I know there's repeated characters in there and 'widely used combinations' as the tool will respond, but the repeated characters (though not as many of them) were there in the first example as were the combinations.

Most recent advice i've come across all makes a virtue of elongating your password which I kinda get in terms of the theory of it. If i keep adding hyphens to elongate the password then it increments the time taken as you might expect.

Does it look like a bug in there somewhere or does that look like reasonable behaviour of the checker?

FSL · 27-08-2014 1:34pm

Not limiting it to keyboard characters i.e. using 12 random bytes between Hex 01 and Hex FE i.e. excluding 00 and FF would take confiker 5380 centuries and the super computer 33 centuries.

Stuff that doesn't need it's own Thread

Comments